API3Market
Summary
**Update**: The client has acknowledged all of the 11 findings. None of them pose severe security issues as long as the processes are correctly executed off-chain. However, user trust in off-chain entities is required. ---- The [contracts in scope](#scope) constitute the dAPI market of API3: - Through the `API3Market` contract, users can purchase subscriptions for data feed updates with specific configurations. - The `AirseekerRegistry` keeps track of the currently active subscriptions and the constraints under which Airseekers are supposed to update the data feeds. - The `HashRegistry` contains the Merkle roots of all allowed configurations managed by a set of signers. The code in scope is generally well-written and follows best practices. We have not found any significant security vulnerabilities. However, the code and its security heavily depend on correct and honest executing off-chain components, such as the `owner`, different sets of `signers`, and Airseekers. Furthermore, the out-of-scope `API3ServerV1` contract maintaining the data feeds interacts with the contracts in scope at several points. The security of that `API3ServerV1` contract, its interaction with the contracts in scope, and the off-chain entities were not assessed by Quantstamp.
Issues (10)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 7 | 3 | - | - | 10 |
Fixed | - | - | - | - | 0 |
| Total | 7 | 3 | 0 | 0 | 10 |